Should we be worried about Android app permissions?

If you’re really honest, do you actually read the permissions that Android apps are asking for before you install them? If you do, then there’s little doubt that you’re in the minority. Most of us treat them like terms and conditions, blindly clicking, or tapping, our way through. Is this something we should be taking more seriously? What are we actually giving away here?

Developers are well aware that most people don’t pay much attention to permissions and a lot of them have been surreptitiously adding more and more permissions to the list. Take a look at this chart of permissions for some of the most popular apps and games around.

Do these apps really need all these permissions? If you dig into the list, which you can find via the View details link under Permissions on the Play Store page for each app, then you’ll find some pretty puzzling requests.

The popular game Cut the Rope, for example, requests permission for your Location and yet the Privacy Policy from developer, ZeptoLab, specifically states “Geo-Location Data. ZeptoLab does not ask you for, access, or track any location based information at any time while downloading or using ZeptoLab’s mobile applications or services.”

I emailed and asked about it and here’s what Community Manager, Olga Antsiferova told me,

“Location data is needed for advertising SDKs to show people the ads which are relevant to their country. It is also used in both free and paid version of our games to identify countries with COPPA law. Finally, it is used in analytics, but it is important to understand that we gather only general, not personified info (i.e. “today we received 10k downloads from UK”) and we do not track individual devices.”

I’m not singling Cut the Rope out for any particular reason, by the way. You could pick an app at random and probably find a permission that’s puzzling at first glance.

What’s the problem?

A spotlight, or flashlight, was thrown on the issue a while back when popular free app Brightest Flashlight turned out to be selling location data and device ID information to third party advertisers. It transpired that it was far from the only app engaging in a fire sale of our personal data. A lot of flashlight apps are asking for permissions they absolutely do not need to function. It’s not a phenomenon that’s restricted to flashlight apps.

In all likelihood what we’re talking about here is the sale of anonymized data to advertisers, so that developers can generate a little extra cash. Some of you might be okay with that. But you’re actually putting a lot of trust in these developers. It’s one thing to trust that Google isn’t going to do anything untoward with your personal data (and some people struggle with that idea), but how much do you know about the publishers and developers behind the apps you’re using, or the third-party advertising networks that they work with?

Is there a worse scenario? Are you giving them the permission to do things like upload all your personal photos to a web server or sell your contacts list? While it may be technically possible in some instances, it’s extremely unlikely that they’re actually doing that, it’s illegal and they wouldn’t get away with it for long. The most likely explanation is generally innocuous — an app might want access to your photos to allow you to upload an image directly in the app without having to jump through hoops or quit the app and start up the gallery app.

The problem is that most people don’t really know what the permissions mean, they aren’t willing to research it, and they don’t want to have to. What they really want is to be able to trust that someone else is looking out for them.

Google does have your back, up to a point

The Play Store is pretty secure. Google does a lot of work behind the scenes to make sure that the apps on offer are safe. Most of the scaremongering about malware on Android is designed to sell security apps. If you only ever download apps from the Play Store with high numbers of downloads and a good review score, and you don’t tick the Unknown sources box in Settings > Security then you realistically have nothing serious to worry about.

The trouble kicks in if you’re concerned about privacy. If you don’t like the idea of giving strangers potential access to a lot of personal data. If you don’t like the idea of them collecting information about your habits. There’s a gray area of acceptability there that Google isn’t policing.

Your only real option if you don’t like the permissions that an app is requesting is to not install it. But, why is that the case?

Puzzling changes

Google simplified app permissions last summer (some people will say dumbed down) and things are grouped into sections now. This was supposed to make it easier for people, but it actually makes it tougher to see what specific permissions you are granting. It also means that an app can request a new permission in an update and if you’ve already granted a permission in that section it’s automatically granted without your say-so.

We need better control over permissions

There are a lot of other ways this could work. You could be asked for a permission when an app actually needs to use it, but this could arguably impair the user experience. You could also have a clear menu where you can go in and deny specific permissions, or tell the app to ask when it needs that permission. Something like App Ops which Google rolled out and then retracted.

Google brought App Ops out in Android 4.3, though it was never advertised. It was quietly removed in Android 4.4.2. It allowed you to revoke specific permissions for apps. Officially Google claimed it was only ever intended for developers. It’s possible part of the reason it was removed was to prevent stability issues for apps if users started revoking permissions all over the place, but realistically it probably had a lot more to do with advertising revenue. If you could use free apps and easily block permissions that generate ads (and revenue for the developers) then you probably would, right? That could make Android app development unprofitable for many.

What can you do?

The bottom line is that most developers are asking for permissions because of some function or feature in the app and the request is legitimate. There’s another tier of apps that are trying to turn a profit by selling anonymized data. Unfortunately it’s not always easy for the average person to tell the difference. If you’re concerned, then make sure you read the permissions and the privacy policy. There’s no substitute for doing a little digging to see what you can uncover. If you routinely download apps from outside the Play Store then you really can’t afford to ignore permissions.

You can find a bunch of permission managers in the Play Store, many confusingly called App Ops or some variant. If you’re rooted then check out X Privacy Installer for smart protection that won’t make the apps fail.

Tell us what you think. Do you read app permissions before every install? Are you worried about leaking personal info? Do you care about anonymized data for advertisers? Is Google doing enough to protect our privacy?